From: Jeremy Kerr <jk@ozlabs.org>
To: <linuxppc-dev@ozlabs.org>
Subject: [PATCH 10/25] spusched: fix null pointer dereference in find_victim
Date: Fri, 14 Sep 2007 16:32:54 +1000 [thread overview]
Message-ID: <1189751574.104447.719838727251.10.gpush@pokey> (raw)
In-Reply-To: <1189751574.98527.127994196313.1.gpush@pokey>
From: Christoph Hellwig <hch@lst.de>
find_victim can dereference a NULL pointer when iterating over the list
of victim spus because list_mutex only guarantees spu->ct to be stable,
but of course not to be non-NULL.
Also fix find_victim to not call spu_unbind_context without list_mutex
because that violates the above guarantee.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
---
arch/powerpc/platforms/cell/spufs/sched.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c
index 17806e0..4d257b3 100644
--- a/arch/powerpc/platforms/cell/spufs/sched.c
+++ b/arch/powerpc/platforms/cell/spufs/sched.c
@@ -594,7 +594,7 @@ static struct spu *find_victim(struct spu_context *ctx)
list_for_each_entry(spu, &cbe_spu_info[node].spus, cbe_list) {
struct spu_context *tmp = spu->ctx;
- if (tmp->prio > ctx->prio &&
+ if (tmp && tmp->prio > ctx->prio &&
(!victim || tmp->prio > victim->prio))
victim = spu->ctx;
}
@@ -626,9 +626,9 @@ static struct spu *find_victim(struct spu_context *ctx)
mutex_lock(&cbe_spu_info[node].list_mutex);
cbe_spu_info[node].nr_active--;
+ spu_unbind_context(spu, victim);
mutex_unlock(&cbe_spu_info[node].list_mutex);
- spu_unbind_context(spu, victim);
victim->stats.invol_ctx_switch++;
spu->stats.invol_ctx_switch++;
mutex_unlock(&victim->state_mutex);
next prev parent reply other threads:[~2007-09-14 6:32 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-14 6:32 [PATCH 01/25] spufs: staticify file-internal functions & variables Jeremy Kerr
2007-09-14 6:32 ` [PATCH 22/25] spufs: Cleanup ELF coredump extra notes logic Jeremy Kerr
2007-09-14 6:32 ` [PATCH 07/25] spufs: remove asmlinkage from spufs_calls Jeremy Kerr
2007-09-14 6:32 ` [PATCH 13/25] spufs: Call spu_acquire_saved() before calculating the SPU note sizes Jeremy Kerr
2007-09-14 6:32 ` [PATCH 25/25] spufs: Add DEFINE_SPUFS_ATTRIBUTE() Jeremy Kerr
2007-09-14 6:32 ` [PATCH 04/25] spufs: make isolated loader properly aligned Jeremy Kerr
2007-09-14 6:32 ` [PATCH 20/25] spufs: Add contents of npc file to SPU coredumps Jeremy Kerr
2007-09-14 6:32 ` [PATCH 23/25] spufs: Handle errors in SPU coredump code, and support coredump to a pipe Jeremy Kerr
2007-09-14 6:32 ` [PATCH 15/25] spufs: Write some SPU coredump values as ASCII Jeremy Kerr
2007-09-14 6:32 ` [PATCH 21/25] spufs: Combine spufs_coredump_calls with spufs_calls Jeremy Kerr
2007-09-14 6:32 ` [PATCH 12/25] spufs: Remove ctx_info and ctx_info_list Jeremy Kerr
2007-09-14 6:32 ` [PATCH 11/25] spufs: Extract the file descriptor search logic in SPU coredump code Jeremy Kerr
2007-09-14 6:32 ` [PATCH 17/25] spufs: Don't return -ENOSYS as extra notes size if spufs is not loaded Jeremy Kerr
2007-09-14 6:32 ` [PATCH 16/25] spufs: Correctly calculate the size of the local-store to dump Jeremy Kerr
2007-09-14 6:32 ` [PATCH 06/25] cell: unify spufs syscall path Jeremy Kerr
2007-09-14 6:32 ` [PATCH 18/25] spufs: Get rid of spufs_coredump_num_notes, it's not needed if we NULL terminate Jeremy Kerr
2007-09-14 6:32 ` [PATCH 09/25] cell: remove DEBUG for spu callbacks Jeremy Kerr
2007-09-14 7:43 ` Christoph Hellwig
2007-09-14 6:32 ` [PATCH 05/25] spufs: fix race condition on gang->aff_ref_spu Jeremy Kerr
2007-09-14 6:32 ` Jeremy Kerr [this message]
2007-09-14 7:44 ` [PATCH 10/25] spusched: fix null pointer dereference in find_victim Christoph Hellwig
2007-09-20 0:13 ` Jeremy Kerr
2007-09-14 6:32 ` [PATCH 24/25] spufs: Respect RLIMIT_CORE in spu coredump code Jeremy Kerr
2007-09-14 6:32 ` [PATCH 08/25] Fix restore_decr_wrapped() to match CBE Handbook Jeremy Kerr
2007-09-14 6:32 ` [PATCH 14/25] spufs: Use computed sizes/#defines rather than literals in SPU coredump code Jeremy Kerr
2007-09-14 6:32 ` [PATCH 19/25] spufs: Internal __spufs_get_foo() routines should take a spu_context * Jeremy Kerr
2007-09-14 7:43 ` Christoph Hellwig
2007-09-14 6:32 ` [PATCH 02/25] spufs: remove asmlinkage from do_spu_create Jeremy Kerr
2007-09-14 7:44 ` Christoph Hellwig
2007-09-14 6:32 ` [PATCH 03/25] spufs: remove spu_harvest Jeremy Kerr
2007-09-14 7:42 ` [PATCH 01/25] spufs: staticify file-internal functions & variables Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1189751574.104447.719838727251.10.gpush@pokey \
--to=jk@ozlabs.org \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox